So what the heck is ASN.1? It’s a standard way, defined in X.680, to describe complex binary data. I know purists will hate me for saying this, but think of binary XML. You describe the data format in ASN format, and then an ASN compiler creates .C[PP] and .H[PP] files that you compile and link into your code. Voila!

For example, the following ASN snippet:

Stuff DEFINITIONS ::=

BEGIN

PersonnelRecord ::= SEQUENCE {

nameName,

titleOCTET STRING,

numberEmployeeNumber,

dateOfHireDate,

nameOfSpouseName}

Name ::= SEQUENCE {

givenNameOCTET STRING,

initialOCTET STRING,

familyNameOCTET STRING}

EmployeeNumber ::= INTEGER

Date ::= OCTET STRING — YYYYMMDD

END

May create the following header file:

#include “asn_obj.h“

#include “stuff.h“

class Name : public AsnSequence {

public:

AsnOctetString givenName;

AsnOctetString initial;

AsnOctetString familyName;

Name();

};

typedef AsnInteger EmployeeNumber;

typedef AsnOctetString Date;

class PersonnelRecord : public AsnSequence {

public:

Name name;

AsnOctetString title;

AsnInteger number;

AsnOctetString dateOfHire;

Name nameOfSpouse;

PersonnelRecord();

};

PersonnelRecord::PersonnelRecord() {…}

Name::Name() {…}

Problem is, if there are parsing errors in the ASN data format cracking library, then you may have security issues. The real worry is many network and security protocols use ASN.1, such as X.509 certificates (therefore SSL/TLS), Kerberos, SNMP, S/MIME, IPSec and so on.

The real lesson is this, code review your ASN.1 parsing code, or library, for integer overflow and buffer overrun issues. Or you may be next!